Years of lobbying in the EU has paid off for scientists in Denmark, who for years have the privilege of getting access to rich personal data registers without having to ask for consent. Interview with an epidemiology professor, who thinks that researchers should have more freedom to use such data.
Penicillin was discovered accidentally. The Scottish researcher Alexander Fleming studied the bacteria, Staphylococci, forming colonies on plates. When he returned to his lab after a vacation, he found mould in a plate, and no bacterial colonies around the mould, and said ‘That’s funny’. He started exploring this, which eventually led to the discovery of penicillin in 1928, for which he received the Nobel Prize. It became the most widely used antibiotic in the world.
Many other major discoveries, by nature surprising, have emerged out of unplanned and surprising observations as the key first step to new and often very useful knowledge. Because of data protection laws, and especially in the way they are implemented, it is harder to make new discoveries this way. The prevailing requirement that everything should be planned in detail before access to the data can be permitted obviously blocks for one of the most important steps in research, namely seeing something unexpected, and thereafter pursuing it by immediately checking in other data if it holds true.
Such is the statement from professor of genetic and metabolic epidemiology, Thorkild I.A. Sørensen from University of Copenhagen:
“Today, we have to state the purpose of our science project in detail, when we ask for permission to use personal data registers in our research. This prevents us from exploring data, changing plans along the way, looking for patterns in data without necessarily having a pre-specified purpose, and then testing in other data whether such new observations holds true. I think we should allow science making accidental new big discoveries like what Alexander Fleming did.”
Thorkild Sørensen has been following – and influencing – the development of data protection laws in Europe for decades, and is among the people, who worked hard to keep Denmark like a data heaven for epidemiological researchers. He was heavily engaged in securing the research opportunities in the political processes leading to the EU Directive and to the subsequent EU legislation for GDPR.
In the 1990s, Denmark was the only member state in EU, where research could be conducted on the basis of general register information without informed consent. When Thorkild got hold of the draft of the first EU directive on personal data, he quickly realised, as did many of his epidemiological colleagues, that if implemented as it was, the Danish research privilege would be history.
“It would have meant that we should get consent for everything we did, including from the deceased. Pretty absurd,” says Thorkild, who got a chance via the European Heart Association to go through the draft with the official in Brussels, who had drafted it. “We went through the draft, paragraph by paragraph. The commission had received many objections to the draft from researchers in Denmark and collaborators abroad. This came as a great surprise to Commission, not being aware of these research opportunities. Fortunately, they listened, and this specific part of the Directive was amended accordingly.”
His and others’ efforts, not least including persistent efforts by a Danish Member of the European Parliament, eventually secured the unique register-based research opportunities without consent also in the GDPR. Other EU member states like Sweden and Finland, also benefit from this adaptation of the European rules. However, according to Thorkild, the escape clauses are of particular value for Denmark because of several unique national registers that are older than what other countries have access, e.g. the Danish Cancer Register that dates back to 1942. This allows investigations over very long time periods and makes the requirement of consent impossible to fulfill.
No Opting Out
Thorkild Sørensen is very pleased with the political approval that Danes today cannot opt out of the allowance to use the personal data for research. Opting out would very likely create serious biases and therefore possibly make the research of much less validity. As an example of the political support, he mentions what happened to the law about the ‘central person register number (CPR-no)’, assigned to all citizens in Denmark. According to a previous version of the law, people were allowed to opt out from being contacted by researcher, when they recorded changes in residence address in that register. This actually became an increasing problem when more than 10% of the population had done so, he says.
“When Margrethe Vestager (currently Executive Vice President of the EU commission) was minister of internal affairs, she recognized the problem with the opting out and therefore proposed the Parliament to remove it, also with retrospective effects. It was passed through unanimously, with the key argument that persons contacted could just refuse participation.” Thorkild says.
No Human Harm
As far as Thorkild Sørensen remembers, he has never encountered cases where researchers have abused personal data to harm any of the person(s) behind that data. The researchers working with personal data are not focussing on the identified person, but on what’s in the relationships in the data. If researchers are tempted to focus on the identified persons without consent, they are no longer researchers, he says.
He agrees that there are examples of abuse or risk of abuse of data, e.g. from private Facebook researchers (Cambridge Analytica / Facebook scandal) or in the cases where large amount of personal data has been accidentally released on e.g. CDs.
“Of course there are risks of abuse. However, if a researcher do this, it is a criminal act and should be treated as such. With no examples of harm caused by a researcher using personal data, concrete reactive measures make much more sense rather than the preventive measures used now. I don’t think this purely theoretical risk can justify the suspiciousness, stiffness and resistance towards use of personal data in scientific research prevailing in some circles that have led to the very tedious bureaucratic procedures to get access to such data.”
However, Thorkild Sørensen recognizes that this manifest would require full openness and transparency plus ethical and legal oversight over the use of personal data to keep the research privileges of today. His hope is that the implementation of the GDPR as times goes by will be much more researcher-friendly and pragmatic than it is by now.
Box: Article 5 in GDPR is regulating scientists’ use of personal data without consent:
“Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’)”